The Cable Guy - September 2006

Network Location Types in Windows Vista

Microsoft® Windows Vista has the ability to automatically configure security and other settings based on the type of network to which the computer is connected. This new feature makes computing more secure and easier for users because they no longer have to be aware of the type of network that they are connected to and configure security settings to prevent unwanted access. A related feature for developers makes it easier to enhance applications by automatically adjusting settings and behaviors for changes in network conditions and for different network types.

Introduction

Modern computers, such as laptop and notebook computers are highly mobile and can attach to different types of networks depending on their location. On a given day, a person can attach their computer to the network at their employer (for example, an organization network that uses the Active Directory® directory service), the network at their local coffee shop (a public network providing access to the Internet), and the network at their home (a private home network).

The security requirements of these networks are different. For example, there should be more security applied when the computer is connected to the network at the coffee shop to prevent malicious Internet users from attacking or accessing the resources of the computer. On the private home network, separated from the Internet by a gateway or router that is providing firewalling services, the computer can share its files and printers with other computers on the home network.

To transparently configure security settings based on the type of network to which the computer is attached, Windows Vista supports network location types.

Network Location Types

A computer running Windows Vista classifies the network to which it is connected as one of the following location types:

Domain

The computer is connected to a network that contains a domain controller for the domain to which the computer is joined. An example is an organization intranet.

Public

The computer is connected to a network that has a direct connection to the Internet. Examples are public Internet access networks such as those found in airports, libraries, and coffee shops.

Private

The computer is connected to a network that has some level of protection from the Internet and contains known or trusted computers. Examples are home networks or small office networks that are located behind an Internet gateway device that provides firewalling against incoming traffic from the Internet.

A network will only be categorized as private if a user or application identifies the network as private. Only networks located behind an Internet gateway device should be identified as private networks. To designate a network as private, the user must have administrator privileges.

When connecting to a new network, Windows Vista prompts you to select a network location. The following figure shows an example.

The Home and Work network locations are for the Private location type. The Public network location is for the Public location type.

You can view the network location type for the currently connected network from the Network and Sharing Center. The following figure shows an example.

You can click Customize to view additional information about the network and the network location type. The following figure shows an example.

The Set Network Location dialog box will either allow you to select the Public or Private network location type (as shown in the figure), or it will be set for the Domain network location type.

As you connect to networks, Windows Vista will either automatically determine the network location type or prompt the user to specify the network location (the default location is Public). Windows Vista stores the networks to which the computer has connected so that the network location type and its corresponding security settings are automatically applied without requiring the user to manually specify them.

Some components of Windows Vista have different settings based on the network location type. For example, Windows Firewall enforces different policies based upon the location type of the network to which the computer is currently connected. The following figure shows the Windows Firewall with Advanced Security Properties dialog box and how different settings are applied based on the network location type (the Domain Profile, Private Profile, and Public Profile tabs).

Behavior for the Domain Location Type

When a computer running Windows Vista joins an Active Directory domain, it automatically configures the existing network for the Domain location type. After joining the domain, the computer determines that it is on a network of the Domain location type because it can perform a computer-level authentication with a domain controller as part of normal Active Directory operations.

The following settings are automatically configured for networks of the Domain network location type:

Windows Firewall is turned on by default and configured by Group Policy settings downloaded from the Active Directory domain

Network discovery is turned off

All forms of file and printer sharing are turned off, including file sharing, printer sharing, public folder sharing, and media sharing

Behavior for the Public Location Type

For the Public location type, the assumption is that the computer is directly connected to the Internet and therefore exposed to incoming malicious traffic from the Internet. Because of a possible hostile networking environment, the following default settings are automatically configured for networks with the Public location type:

Windows Firewall is turned on

Network discovery is turned off

All forms of file and printer sharing are turned off, including file sharing, printer sharing, public folder sharing, and media sharing

If you change these default settings, they will be applied to every network with the Public location type.

Behavior for the Private Location Type

For the Private location type, the assumption is that the computer is directly connected to a network of computers that you know or are reasonably certain does not contain malicious users and is separated from the Internet by a gateway or router that is performing firewalling against incoming traffic from the Internet. Because of a safer networking environment, the following default settings are automatically configured for networks with the Private network location type:

Windows Firewall is turned on

Network discovery is turned on

All forms of file and printer sharing are turned off, including file sharing, printer sharing, public folder sharing, and media sharing

If you change these default settings, they will be applied to every network with the Private location type.

From the Network and Sharing Center, you can change a network from the Private to the Public location type, or vice versa.

For More Information

For more information about networking technologies in Windows Vista, consult the following resources: